Term · 11. Risk & Compliance
GLBA (Gramm-Leach-Bliley Act) GLBA
Definition
US federal law (1999) requiring financial institutions to safeguard customer information and disclose information-sharing practices. The Safeguards Rule (updated 2023) mandates a written information security program with access controls, encryption, MFA for non-public information access, and incident response procedures. The Privacy Rule governs how financial institutions share customer data with affiliates and non-affiliated third parties.
- Synonyms
-
- Financial Services Modernization Act
- Application
- Affects banks, credit unions, securities firms, insurance companies, and any business significantly engaged in financial activities. IDM/IAM impact: MFA mandatory for access to customer NPI, role-based access controls (RBAC), privileged access management (PAM) for administrative accounts, regular access reviews.
- Sources
-
- FTC — GLBA Safeguards Rule primary source
Related terms
-
CMMC (Cybersecurity Maturity Model Certification) (CMMC)
US Department of Defense framework certifying cybersecurity practices of Defense Industrial Base (DIB) contractors handl …
-
CSA CCoP (Cybersecurity Code of Practice for CII, Singapore) (CSA CCoP)
Singapore Cyber Security Agency's mandatory Code of Practice for Critical Information Infrastructure (CII) operators acr …
-
MAS TRM (Monetary Authority of Singapore — Technology Risk Management Guidelines) (MAS TRM)
Singapore central bank's prescriptive guidelines (revised 2021) for technology risk management at financial institutions …
-
CCPA / CPRA (California Consumer Privacy Act / Privacy Rights Act) (CCPA)
California state privacy law (CCPA 2018, expanded by CPRA 2020 effective 2023) granting California residents rights over …
-
ENISA (European Union Agency for Cybersecurity) (ENISA)
EU agency providing cybersecurity guidance, threat intelligence, and certification schemes across member states. Coordin …
-
EU CRA (Cyber Resilience Act) (CRA)
EU regulation (Regulation (EU) 2024/2847; in force 10 Dec 2024) imposing cybersecurity requirements on products with dig …